Fansit
Account & Sign-In

Setting Up Two-Factor Authentication

4 min read

Setting Up Two-Factor Authentication

Two-factor authentication (2FA) adds a second layer of protection to your account. After entering your password, you'll be prompted for a 6-digit code from an authenticator app. This stops attackers who have your password but not your phone.

We strongly recommend 2FA for all creator accounts and any fan account spending meaningful amounts.

How it works

Without 2FA: attacker with your password can log in. Done.

With 2FA: attacker with your password also needs the 6-digit code from your authenticator app, which is generated on your phone every 30 seconds. Without your phone, they can't log in.

What you need

A TOTP (time-based) authenticator app on your phone:

  • Authy (recommended — has cloud backup).
  • Google Authenticator.
  • Microsoft Authenticator.
  • 1Password / Bitwarden / Dashlane (if you use a password manager that supports TOTP).
  • Most other authenticator apps work.

Don't use SMS for 2FA — it's vulnerable to SIM-swap attacks.

How to set up

  1. Settings → Account → Two-Factor Authentication.
  2. Tap Enable 2FA.
  3. Enter your password to confirm.
  4. Scan the QR code with your authenticator app, or manually enter the secret key.
  5. The app shows a 6-digit code that updates every 30 seconds.
  6. Enter the current code in Fansit to confirm setup.
  7. Save your backup codes in a secure place (password manager, printed and stored physically).
  8. 2FA is now active.

Backup codes

When you set up 2FA, you get 10 backup codes. Each code can be used once to log in if you lose access to your authenticator app.

Store them safely:

  • Best: in a password manager.
  • Second best: printed and stored in a fireproof place.
  • Worst: emailed to yourself (if your email is compromised, both your password and backup codes are exposed).

Backup codes are single-use. After using a code, it's gone. Generate new ones from settings if you run out.

Logging in with 2FA

After 2FA is enabled, every login prompts for:

  1. Email + password.
  2. The 6-digit code from your authenticator app.

You can mark a device as trusted to skip the 2FA prompt for 30 days on that specific browser/device. Don't trust public or shared devices.

If you lose your phone

If your authenticator app is gone:

  1. Use a backup code to log in.
  2. Disable 2FA immediately from settings.
  3. Set up 2FA again on your new device.
  4. Generate fresh backup codes.

If you don't have backup codes either:

  1. Email support@fansit.com from the email associated with the account.
  2. Include identifying information (last 4 digits of payment method, recent transaction info, KYC details if you're a creator).
  3. We'll verify your identity and disable 2FA so you can log in and re-set up.

This process takes 2-5 business days for security reasons.

Recovery scenarios

| Situation | What to do | |---|---| | Lost phone, have backup codes | Log in with backup code, disable 2FA, set up on new device | | Lost phone, no backup codes | Email support@fansit.com with identity verification | | Phone died but I have it | Wait for charge, codes will work again | | Got a new phone, didn't transfer 2FA | Same as "lost phone" — log in with backup code OR contact support | | App deleted by accident | Same as "lost phone" |

Disabling 2FA

You can turn off 2FA from settings any time:

  1. Settings → Account → Two-Factor Authentication.
  2. Tap Disable 2FA.
  3. Enter your password and a current 2FA code (or backup code).
  4. Confirm.

We don't recommend disabling 2FA. If you're moving to a new phone, set up the new app first, then disable + re-enable rather than disabling permanently.

Why TOTP, not SMS

We don't support SMS 2FA. Reason: SIM-swap attacks are common and easy. An attacker can convince your carrier to transfer your number to their SIM, intercept the SMS code, and log in.

TOTP apps generate codes on the device itself — no network involved, no carrier vulnerability.

For creators specifically

If you're a creator, 2FA is effectively mandatory. Account compromise on a creator account is catastrophic:

  • Attacker can post unauthorized content (potentially in zero-tolerance categories that get the account banned).
  • Attacker can mass-message subscribers with fraud links.
  • Attacker can request payouts to their own bank account.
  • Attacker can set up auto-DMs that scam fans.

A few minutes of setup prevents all of that.

Was this article helpful?

Back to Account & Sign-In